Question No: 201

A user is unable to establish an AnyConnect VPN connection to an ASA. When using the Real-Time Log viewer within ASDM to troubleshoot the issue, which two filter options would the administrator choose to show only syslog messages relevant to the VPN connection? (Choose two.)

Client#39;s public IP address

Client#39;s operating system

Client#39;s default gateway IP address

Client#39;s username

ASA#39;s public IP address

Answer: A,D

Question No: 202

Using the Next Generation Encryption technologies, which is the minimum acceptable encryption level to protect sensitive information?

AES 92 bits

AES 128 bits

AES 256 bits

AES 512 bits

Answer: C

Question No: 203

Which option describes the purpose of the command show derived-config interface virtual- access 1?

It verifies that the virtual access interface is cloned correctly with per-user attributes.

It verifies that the virtual template created the tunnel interface.

It verifies that the virtual access interface is of type Ethernet.

It verifies that the virtual access interface is used to create the tunnel interface.

Answer: A

Question No: 204

A network is configured to allow clientless access to resources inside the network. Which feature must be enabled and configured to allow SSH applications to respond on the specified port 8889?

Certificates have a date and time that they become valid and that they expire. When the security appliance enrolls with a CA and gets a certificate, the security appliance checks that the current time is within the valid range for the certificate. If it is outside that range, enrollment fails.

Same would apply to communication between ASA and PC

Question No: 207

Which type of NHRP packet is unique to Phase 3 DMVPN topologies?

resolution request

resolution reply

redirect

registration request

registration reply

error indication

Answer: C

Question No: 208

You are troubleshooting a site-to-site VPN issue where the tunnel is not establishing. After issuing the debug crypto isakmp command on the headend router, you see the following output. What does this output suggest?

1d00h: %CRYPTO-6-IKMP_MODE_FAILURE. Processing of Main Mode failed with peer at 10.10.10.10

Phase 1 policy does not match on both sides.

The transform set does not match on both sides.

ISAKMP is not enabled on the remote peer.

There is a mismatch in the ACL that identifies interesting traffic.

Answer: A

Question No: 209

Authorization of a clientless SSL VPN defines the actions that a user may perform within a clientless SSL VPN session. Which statement is correct concerning the SSL VPN authorization process?

Remote clients can be authorized by applying a dynamic access policy, which is configured on an external AAA server.

Remote clients can be authorized externally by applying group parameters from an

external database.

Remote client authorization is supported by RADIUS and TACACS protocols.

To configure external authorization, you must configure the Cisco ASA for cut-through proxy.

Answer: B Explanation:

CISCO SSL VPN guide

The aaa authentication command is entered to specify an authentication list or server group under a SSL VPN context configuration. If this command is not configured and AAA is configured globally on the router, global authentication will be applied to the context configuration.

The database that is configured for remote-user authentication on the SSL VPN gateway can be a local database, or the database can be accessed through any RADIUS or TACACS AAA server.

We recommend that you use a separate AAA server, such as a Cisco Access Control Server (ACS). A separate AAA server provides a more robust security solution. It allows you to configure unique passwords for each remote user and accounting and logging for remote-user sessions.

Question No: 210

What is the default storage location of user-level bookmarks in an IOS clientless SSL VPN?